You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
chore: SHA-pin all GitHub Actions across workflows
Mutable action references (@v4, @V3, …) are the same failure mode that
took out tj-actions/changed-files (23k+ repos compromised in Q1 2026)
and trivy-action. An attacker who compromises an action's maintainer
account can silently re-point a tag at a malicious SHA, and every
workflow that references that tag pulls the new code on the next run.
Pinning each action by full commit SHA — with the human-readable tag
preserved as a trailing comment — closes that vector. Dependabot's
github-actions ecosystem (enabled in the companion commit) proposes
SHA bumps with the new tag annotated in the PR body, so updates remain
reviewable.
All four workflows pinned; SHAs resolved against current refs as of
this commit, no behavioral change intended.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0 commit comments